Biometric spoofing and liveness checks: are your controls keeping up?

TL;DR: Biometric spoofing turns fingerprints, faces, and iris scans into presentation-attack targets, and the article explains why liveness detection is now central to stronger identity assurance, according to 1Kosmos. The issue is not that biometrics fail outright, but that assurance collapses when systems cannot prove the sample came from a live person.

NHIMG editorial — based on content published by 1Kosmos: Biometric spoofing and liveness detection in identity assurance

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should organisations defend biometric authentication against spoofing attacks?

A: Defence starts with liveness detection, but it must extend to the entire capture path.

Q: Why do biometrics still need liveness detection in identity assurance?

A: Because a biometric sample proves similarity, not presence.

Q: What do security teams get wrong about passwordless biometric login?

A: They often assume passwordless means spoof-resistant by default.

Practitioner guidance

• Define where biometrics are allowed to satisfy assurance Limit biometric authentication to use cases where the assurance level, capture device, and fraud tolerance are explicitly defined.
• Require liveness testing matched to the modality Use active or passive liveness controls that are appropriate to the biometric in question, and validate them against print, replay, mask, and injection scenarios.
• Protect the full capture and transmission path Harden cameras, sensors, SDKs, and API channels against manipulation, script injection, and tampering.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Side-by-side examples of print, replay, 3D mask, and deepfake facial spoofing techniques
• Practical discussion of active versus passive liveness detection tradeoffs for verification flows
• Implementation detail on anti-spoofing algorithms, true-depth camera checks, and SDK protections
• Compliance references to NIST 800-63-3, iBeta ISO/IEC 30107-3, UK DIATF, GDPR, and KYC/KYE

👉 Read 1Kosmos's guide to biometric spoofing and liveness detection →

Biometric spoofing and liveness checks: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →